In a recent discovery, SafetyDetectives’ Cybersecurity Team stumbled upon a clear web forum post where a threat actor offered a database allegedly belonging to The Epoch Times purportedly exposing 32 million records.

What is The Epoch Times?

Founded in the year 2000, The Epoch Times is an international multi-language newspaper and media company born out of the need to provide uncensored news to people immersed in propaganda and censorship in China.

The newspaper published its first English edition in 2003. At the time of writing, the newspaper sites’ are accessible in 35 countries, but remain blocked in mainland China.

Where Was The Data Found?

The data was found in a forum post available on the clear surface web. This well-known forum operates message boards dedicated to database downloads, leaks, cracks, and more.

Key Detail

Recently, The Epoch Times published a couple of articles where they informed that CCP-affiliated hackers had targeted them. According to the articles, the United States’ Justice Department charged 12 Chinese nationals in connection with a wide-ranging cyber campaign against the country, with The Epoch Times among the victims.

Eight of the individuals charged were employees of i-Soon, a Chinese tech firm that allegedly had hacked government agencies worldwide since 2016 and ostensibly under the direction of Chinese authorities.

A few days after this information went public, Safety Detectives’ Cybersecurity Team discovered a forum post on the clear web in which the author had offered a dataset allegedly belonging to The Epoch Times.

What Was Leaked?

According to the author’s claims, the data consisted of 32 million records, purportedly containing The Epoch Times subscribers’ usernames, full names, phone numbers, credit card numbers, card expiration dates, billing addresses, invoices, emails, devices, and locations.

The forum post showed only the headers of the alleged Epoch Times’ data, but it came with a link to a sample of the data. The author did not specify what they wanted in exchange for the full dataset, but they did share an email address so interested parties could get in touch.

Our Cybersecurity Team reviewed the sample of the data shared to assess its authenticity, and although the data seemed legit, we could not confirm it actually belonged to The Epoch Times subscribers.

The freely shared sample consisted of three .txt files, which combined contained over one thousand lines exhibiting:

  • First name,
  • Last name,
  • Email,
  • Phone,
  • Physical address,
  • Subscription type and amount,
  • Billing address,
  • Device details and OS,
  • Location (GPS coordinates),
  • IP address.

In the sample, we could see data of alleged users from the USA, Canada, France, UK, Russia and some other countries from Europe, the Americas, and Asia. Notably, no credit card details were found in any of the sample files. However, even without the credit card numbers, the exposed data is still considered sensitive, as malicious actors could use it to plan and execute various types of attacks on the affected people.

This is a screenshot of the forum post

What Risks Does This Data Exposure Pose?

The leaked data poses a threat to the security and privacy of those affected by the breach, potentially leaving them vulnerable to various types of cyberattacks, including:

  • Phishing attacks: Cybercriminals may use the leaked information to create convincing emails or messages that appear to be from The Epoch Times. These messages aim to trick individuals into providing more sensitive information or clicking on malicious links.
  • Targeted scams: Armed with knowledge of an individual’s data, scammers could potentially tailor their fraudulent schemes to appear more legitimate and increase their likelihood of success.
  • Social engineering attacks: A social engineering attack occurs when a cybercriminal uses manipulation to deceive a target into revealing confidential information or performing actions that jeopardize security.

What to Do If You Believe Your Data Was Exposed

If you suspect that your personal information was compromised in this data leak, you can take these steps to protect yourself:

  1. Report any unusual events: Report any fraudulent activity or suspicious messages linked to this incident to The Epoch Times. Exercise caution when sharing information, especially with unknown individuals or unverified sources.
  2. Update all privacy settings: Adjust the privacy settings on your social media accounts and other online platforms to restrict the visibility of your personal information to the public. Keep an eye out for updates that can help enhance your online security.
  3. Beware of social engineering attacks: Learn about social engineering threats, such as phishing, so you know what to look for. Exercise caution and always confirm the legitimacy of unexpected messages, especially those requesting personal or financial information.
  4. Beware of phishing attempts: Stay alert when receiving unexpected emails, messages, or phone calls requesting personal information or payment details. Avoid clicking on links or downloading attachments from unfamiliar sources to protect your security.

What Are Clearweb Leaks and Why Should You Care?

Hackers utilize various parts of the internet to coordinate attacks, share information, and discuss data breaches. One of the most popular channels hackers use for these purposes are clearweb forums, which are online networks — available to anyone with an internet connection — that allow users to share information about breaches and leaks. These forums provide a sense of anonymity to their members as well as features like paywalling for those users who require payment to access the information they are sharing.

By reporting on these incidents, we aim to proactively inform potentially affected parties earlier so that they can act quickly to protect their data. Our disclosures are rooted in meticulous research and are intended solely for informational and preventive purposes. In no way should these reports be construed as allegations, insinuations, or indicators of fault or negligence by any individual or organization.

Similar Cybersecurity Incidents

In a recent discovery, SafetyDetectives’ Cybersecurity Team stumbled upon a clear web forum post where a threat actor publicized over 27 million records allegedly belonging to French Boulanger Electroménager & Multimédia’s customers for free. The same data had been offered for sale by a threat actor back in 2024.